[16269] in Kerberos_V5_Development
Re: Project Review: kinit -C
daemon@ATHENA.MIT.EDU (Sam Hartman)
Tue Sep 14 15:55:05 2010
From: Sam Hartman <hartmans@mit.edu>
To: Luke Howard <lukeh@padl.com>
Date: Tue, 14 Sep 2010 15:54:33 -0400
In-Reply-To: <391A3912-1EBF-4EA1-B460-8359359E5B44@padl.com> (Luke Howard's
message of "Tue, 14 Sep 2010 21:34:17 +0200")
Message-ID: <tsl7hionls6.fsf@live.mit.edu>
MIME-Version: 1.0
Cc: krbdev@mit.edu
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: krbdev-bounces@mit.edu
>>>>> "Luke" == Luke Howard <lukeh@padl.com> writes:
>> The administrator of a Kerberos database has access to all user
>> keys within that database. This is sufficient to impersonate any
>> user. Today, no convenient user interface is provided for
>> logging in as a given user without changing that user's
>> passowrd. This project proposes to add a -c (cheat) option to
>> kinit. If this option is supplied, then the key will be extracted
>> from the database rather than prompting for a password. This
>> option requires that kinit be run on a KDC with read access to
>> the Kerberos database and stash file.
Luke> Um, can't we use S4U2Self for this? Or am I missing something
Luke> very obvious?
Are s4u2self tickets marked as such?
The use cases for this are things like an administrator impersonating a
user in order to respond to legal actions, or because someone is sick
and their files need to be accessed. So, you want eexplicitly the same
authorizations as a user, etc.
how much work would it be in the current s4u2self code to pull this off?
_______________________________________________
krbdev mailing list krbdev@mit.edu
https://mailman.mit.edu/mailman/listinfo/krbdev
